How Hackers Think.🔥Chris Roberts🔥Latest AI Risks for Business

Show Notes

Rural Healthcare and small/midsized businesses are being tipped over the edge. Not by Tariffs or high interest rates, but by investments needed into protecting their people and systems from disruption. How can you protect yourself from something you don’t know? A risk you don’t understand. What if you could think like a hacker… and use that power to protect your business?

In this exclusive interview, we sit down with Chris Roberts, world-renowned cybersecurity expert, CISO and self-defined “Hacker” to explore:

• 🤖 How Hackers Think — and why it matters more than ever
• 🧠 New AI Risks facing small businesses & rural healthcare
• 🎭 Deepfake Detection and the rise of synthetic threats

From AI-powered attacks to defending the digital frontlines, Chris breaks it all down with real stories, hacker secrets, and eye-opening strategies. Discover:

• 🚨 The difference between hackers and cyber criminals (yes, there’s a BIG difference)
• 🔒 The newest AI security protections available now
• 🏥 Practical ways to protect rural healthcare and small orgs

Whether you're a business leader, tech enthusiast, or just curious about how the hacker mind works, this conversation will change the way you see digital threats.

This one’s eye-opening, practical, and unforgettable.

🎧 Listen. Learn. Protect.

👇 Watch/Listen now and arm yourself with exclusive insight only a world-renowned hacker can provide. #CyberSecurity #AIrisks #HackerMindset #ChrisRoberts #Deepfakes #SmallBusinessSecurity #RuralHealthcare #CyberCrimeJunkies #CyberProtection

Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com  
 

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Youtube (FKA Google) Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Chapters

• 0:00: Chris Roberts and Hacking Stories
• 2:52: How Hackers Think
• 5:22: Latest Ai Risks For Business
• 8:06: The Impact of Deepfakes on Hiring and Employment
• 12:32: Challenges in Detecting Deepfakes
• 14:35: The Future of Cybersecurity and AI
• 17:46: AI's Role in Accelerating Cyber Threats
• 22:54: How Hackers Protect Business
• 29:57: The Evolution of AI and Its Implications
• 35:24: Incident Response: The Importance of Preparedness
• 41:53: How To Protect Rural Organizations
• 48:23: Innovative Solutions for Crisis Management
• 52:15: Future Endeavors and Insights from the Field

Transcript

How Hackers Think. 🔥Chris Roberts🔥Latest AI Risks for Business

 Host David Mauro interviews notorious hacker, Chris Roberts, a renowned cybersecurity expert, discussing How Hackers Think and the latest AI Risks For Business.

We recently reconnected with a legend when I was blessed to sit down with the legendary Chris Roberts—a globally recognized CISO and Strategist for WWT’s AI and DEEPFAKE initiatives. Chris is one of the original DEFCON leaders and a world-renowned hacker with stories that sound like movie scripts... except his stories..are real.

We dive into what every business leader needs know and to do first—before cyber attacks like ransomware hit:

Rural Healthcare and small/midsized businesses are being tipped over the edge. Not by Tariffs or high interest rates, but by investments needed into protecting their people and systems from disruption. How can you protect yourself from something you don’t know? A risk you don’t understand. What if you could think like a hacker… and use that power to protect your business?

In this exclusive interview, we sit down with Chris Roberts, world-renowned cybersecurity expert, CISO and self-defined “Hacker” to explore:

• 🤖 How Hackers Think — and why it matters more than ever
• 🧠 New AI Risks facing small businesses & rural healthcare
• 🎭 Deepfake Detection and the rise of synthetic threats

From AI-powered attacks to defending the digital frontlines, Chris breaks it all down with real stories, hacker secrets, and eye-opening strategies. Discover:

• 🚨 The difference between hackers and cyber criminals (yes, there’s a BIG difference)
• 🔒 The newest AI security protections available now
• 🏥 Practical ways to protect rural healthcare and small orgs

Whether you're a business leader, tech enthusiast, or just curious about how the hacker mind works, this conversation will change the way you see digital threats.
This one’s eye-opening, practical, and unforgettable.


🎧 Listen. Learn. Protect.
👇 Watch now and arm yourself with exclusive insight only a world-renowned hacker can provide. #CyberSecurity #AIrisks #HackerMindset #ChrisRoberts #Deepfakes #SmallBusinessSecurity #RuralHealthcare #CyberCrimeJunkies #CyberProtection

Topics: Chris Roberts, How Hackers Think,Latest Ai Risks For Business,How AI Detection Works,Inside The Hacker Mind,Hacker Secrets,Deepfake Detection,Hacker Mindset,new ai risks for business,New Ai Risks To Small Business,ai effects on small organizations,New Ai Security Protections,Ways To Protect Rural Healthcare,Rural Healthcare Security,How To Protect Rural Organizations,Protecting Rural Organizations,Ai Risks From Hackers,Ai Risks To Healthcare,New Ai Deception,Ai Deception,How Hackers Protect America,How Hackers Protect Business,How Hackers Can Help Business,Latest Ai Threats To Small BusinessLatest Ai DeceptionIncident Response Plans,

Speaker 2 (00:00.91)
you

Speaker 1 (00:05.216)
Imagine hacking the Mars Rover, breaking into NASA and the International Space Station, all for educational purposes. Or imagine hacking and exposing tracking devices on camels in the Middle East. So these multimillion dollar prize show camels disappear off a tracking map. Yeah, my guest did all of that. Welcome to Cybercrime Junkies. Today I sit down with the legendary Chris

Roberts, a globally recognized CISO and strategist for worldwide technologies, AI and deep fake initiatives, one of the original DEFCON leaders and a world renowned hacker with stories that sound like movie scripts, except that his are real. We dive into what every business leader needs to know and do first before cyber risks like ransomware hit things like incident response plans, tabletop exercises and even real world

solutions and ways to protect rural organizations and smaller organizations like rural health care systems and some small businesses. This episode is eye-opening, practical and unforgettable. Let's get into it. This is Cybercrime Junkies and now the show. Look, let's be real. Cybercrime is everywhere. Data breaches are hitting headlines constantly.

I started cyber crime junkies for two reasons, because true crime stories are addictive and because leadership can be learned and great leaders need to understand cyber today without all the technical jargon. So do us a favor, smash that subscribe button, join a community that's done with doing things the way they've always been done. So let's get ahead of the threats and become the kind of leaders who actually stop them. These days being informed,

isn't optional. This is Cybercrime Junkies and now the show.

Speaker 1 (02:09.096)
All right, well, welcome everybody to cybercrime junkies. I am your host David Morrow and in the studio today is a living legend, world famous globally recognized strategist, researcher, hacker, advisory board member, CISO, military veteran, and author currently serving as the artificial intelligence and deepfake cyber strategist at World Wide Technology, the one and only Chris

Robert, sir, welcome to the studio.

I appreciate the heck out of that intro. feel if, just remind my ego that I still need to be able to get through the damn door if it doesn't in the first. Yeah.

Yes, hey, will gladly do that before any Zoom meetings or Teams meetings you have. Just come in, intro you, and leave.

Yeah, don't do that to me. I tell you people I'll start to believe the rubbish at which point in time I'll lose my swear

Speaker 1 (03:05.774)
So how have you been? You've doing well. You've had a lot of changes. I see you're doing a lot of work, a lot of speaking events, keeping busy I see.

Yeah, keeping very, very busy, which probably isn't a bad thing. You know, to some degree, it's nicer to be busy than is twiddling thumbs wonder what they're meant to be doing. So it's good. it's definitely, as you said, definitely different, a lot of change over the last 12 months, you know, change locations, change jobs.

from Colorado to Missouri era.

Yeah, middle of the Swamp Lands, Missouri, which is definitely a change and not a bad one. Yeah, for a variety of reasons I moved here. And I think what I appreciate about this neck of the woods is the greenery. I missed that in Colorado. I got to be honest, I just got fed up with with brush brown, lots of California wildfire smoke and overcrowded overcrowded parks and trails and obviously the

That was just stupid.

Speaker 1 (04:09.314)
Yeah, absolutely. no, the Midwest is really affordable, good, good general ways to get around. mean, it's got a lot of things to offer. You just have to know where to look.

think that's it. You know, it's, it's interesting because there's pockets. There's pockets, you know, I remember going up to corn con you go to corn con, which is in freaking Davenport, Iowa.

I know, I'm very familiar with that area. It's nowhere.

middle of nowhere.

the most amazing restaurant known and kind. Doug city bistro. It's just, I don't know what the heck they were. I mean, I do know because I talked to the chef, but it was amazing, but it's just, it's like here, you know, I've got more diverse food choices and cultural choices here in, you know, St. Louis neck of the woods. I'm south of St. Louis than I ever got in Colorado. I'm just like, you know, stuff like that.

Speaker 1 (04:45.472)
So now.

Speaker 2 (05:08.814)
Unless you know, you just ignore it.

I think a lot of it is just, you know, our, I don't want to say like the media. just mean just common relationships and things. People just always assume the coasts and the bigger cities have all of it. And like the Midwest is just cow tipping on the weekends. Like, you guys would need to come here and stay a little. It's a little different.

I'm like...

Speaker 2 (05:36.884)
Yes, say that. I don't want them. I-

Don't. I know. Like, that's a good point. Yeah, it's a good point. Like, there's a reason it's special here.

mean that was Colorado was I mean I got sent out there in or brought out there in 0506 ish so

That was a pretty long stamp. Yeah, you were out there for a while.

Yeah. Now I move about every six months, but I was out there for a long time. And I saw it even when I went out there, I felt guilty. like, I'm sorry. I'm coming to Colorado and it was still relatively quiet and civilized, but I like it's, it's, feel, have a level of pity and empathy for people that grew up there and you know, they've seen their fields turned into Starbucks basically. I'm like,

Speaker 1 (06:15.512)
Yeah.

Speaker 1 (06:25.346)
Yeah. Yeah. I mean, there's that constant demand for consumption that Americans have and this, you know, the constant demand for development and then a lot of good history and a lot of good tradition goes, goes away. but that's where cybersecurity kind of comes in to kind of protect. Hey, so one of the things, you know, and I've clarified this numerous times on our podcast and one of the things you taught us.

right in when we were first starting this podcast, which was phenomenal, was the concept of a hacker, right? Because so many people, business owners that we speak with, leaders in midsize organizations, they have a preconceived notion, right? They just assume that the term means somebody that's going to do harm or that somebody's going to break things. And really, what they're not

really concerned that their heads always spin whenever I explained. You're not concerned with hackers. You want to employ them. You want to have them on your side. You're concerned about cyber criminals. You're concerned about threat actors and they can come in the form of a lot of different things. Some of them may have technical skills like a hacker would, and some of them are just part of organized crime or part of groups, right?

Yep. Yeah, very much so. mean, you start taking a look at organized crime and groups and that point you're looking at criminal adversary, attacker, malicious individual minutes. To me it's the same thing. It's let's say we have an accountant. That accountant is an accountant. If that accountant goes rogue, right? We don't look at them as a malicious accountant or a whatever. They're criminal. You know, it's,

I was as a

Speaker 1 (08:23.2)
and behind the actions.

And that's it. It's like, if you've got somebody who's working on computers or then they're working on computers, they are a cybersecurity folk like me. mean, I identify as you said, as a hacker, but it's ironic. And this isn't deliberate. I realize I'm wearing my redneck science sweatshirt today. And I mean, probably one of the, love, I love the guy that does the YouTube videos all over it. When you think about it, that's a hacker. mean, the

He sees stuff that that guy does with a bunch of friends out in the middle of cornfields is amazing, but he's hacking and he's hacking vehicles and everything else. Always a mechanic with a flare, shall we say, but it's the same thing. think it's, you it drives me nuts more often than not when in our own industry, if it's somebody from business or if it's a person on the street.

I can forgive that 100 % because they've seen the media, they've listened to the media, but if there's somebody in our own industry, I took some...

Still just calling them hackers. doesn't make sense. Yeah, it's frustrating.

Speaker 2 (09:26.976)
It terribly frustrating. took somebody to task over at the other day. was like a new startup company that was advertising for people. And I'm just like, Hey, you're beating up on the very people, the start of this industry and they're like, well, we'll call them black out. And I'm like, really? You're going to go, you're going to go there in today's level of sensitivities. You're going to say white equals good, black equals bad.

Yeah, probably not the best. I think all are right. You can you can just say threat actor like everybody knows what that is or or cyber criminal. Everybody knows what that is.

Exactly. Yeah, very, very much so. So I think it's, one of those.

I didn't even think about the black hat, white hat thing. jeez. that's good.

We didn't years ago when you think about it. Black Hat's been going about 30 odd years now. When you think about it, it was a Black Hat. I identified as a Grey Hat. One of my license plates on one of my cars years ago, and I still have the plate, was Grey GLY Hat.

Speaker 1 (10:31.278)
That's great.

But you look at today's society and the last thing I want to do is stand up on stage and go, know, white hats are good because they're white hats. Let's not do that. We've learned a little bit.

Exactly.

Speaker 1 (10:46.264)
So tell me about, I'm excited about your new role. So AI and deep fake strategist. I've got in, and you know, this taps into the hacker mind. The hacker mind is, the hacker mindset is one, at least to me, that is an early adopter of technology, finding ways to change technology and really see all the different things that it can be done. And you know, we see that approach in,

in other fields too, like in medicine, there's a medicine that's pushed to market to do X, but then they find it's able to do Y because people were creative with it. And now it's now, now you can use it for multiple things. Very similar to technology and new technology comes out and it's pushed to market a certain way, but then you can, you know, turn it, leverage it, break it, reconstructure it, right? Reverse engineered. Now it's used a whole bunch of different ways.

AI and deepfakes are something I've been just researching and delving into for a couple of years now. mean, the first, I remember the first FBI alert to them was like back in 20, like 2020 or, and then they had a follow-up one in 2022 and nobody was even talking about them. think because generative AI wasn't out yet, but now.

That's, I mean, that in the last two years that has absolutely taken over things. And I think from a human standpoint, we've, we've, we've fallen straight into it. Cause I mean, if you think about it on our phones, you know, these things, how many years have we been able to do some like editing of our pictures and then, then you could buy an app or get an app for free that allowed you to put ears on and change your face and even think about it on zoom. we were all in lockdown.

Zoom gave the ability to change your facial features. So changing the perception of how others see us has been something that we've done in the digital format now for quite some time. that we've done a really nice job of like opening that door to deep fakes, unfortunately, because now people are like, this is really, really cool. And you don't think that you're being manipulated or you don't think to ask the questions or, you know, like on anything along these lines, when you actually

Speaker 2 (13:06.924)
You and I are talking now, you know, our images might not be perfect. So if I'm like, you're really personal or deep fake, and I'm to be looking for liveliness, I'm going be looking, I'm not even going to see it half the time because the bloody image is terrible.

Right. Well, and this and the drive for AI and deep fake, the risk there to me, it affects societal, financial, national security, hiring, recruiting. Like I've seen it in place in so many organizations. I'll give you an example. About a month ago, I was talking to a small business in Tennessee. They were saying, I was asking them about,

How are you leveraging technology? How are you, you know, what challenges are you having? And they said AI and hiring is really bogging us down. And I said, what do you mean AI and hiring? They said, we're getting all these resumes. have four, they had four open positions, company of maybe 25 employees, but they had four open positions and they were getting resumes that were really good. Too good. Right? They were perfect. So they were calling these people in.

And it was for remote work. was for some develop, you know, application development work, things like that. And the identity was clean. did reference checks, background checks, criminal history checks. They, that was clean. the resume was good, but they would get on the video call and it just, something wasn't there and it was happening repeatedly. They couldn't put their finger on it. And then ultimately one of their, like in, in,

They told me they had about 15 different interviews. And then at one point, one of the later ones, the virtual camera started to glitch and the real person was being shown in the background. And the person was at a call center. They were at a call center overseas. he goes, what is going on? He goes, I've had so many of these. And the person was honestly,

Speaker 1 (15:14.412)
I was surprised, but the person was candid because he was like, I'm not going to get in trouble. This person can't do anything. And basically just said, look, we're at a call center. We're just trying to get income. We're just trying to get streams of income. There's so much risk with that, right? Not only are you paying somebody that's not who you think you're employing, you're going to give them access to your systems.

And then you see that the fraudulent stuff is it's working at a company a while ago and we investigated one of our people because they were doing their job a little more efficiently than we were used to shall we say and it came to light that there was some the rumors of them offshoring some of their work to somebody else was was a little too close to home shall we say

And at that point, mean, kudos to them, you you get your incomes from multiple streams and you pay a percentage of it to somebody else. But exactly, you look at risk and I mean, it's through the roof at that point. So, you know, especially if they're working on anything, not necessarily classified, but anything that might have any kind of consequence anywhere else, or if they're in a supply chain for a major vendor or partner or whoever else it is, mean,

Yeah, you're opening yourself up. mean, and you know, in, in, in fairness to the call center, to your point, they, they probably, there might've been nothing malicious. It might simply, exactly as you said, just be a complete source of income at that point, which is great until somebody like me goes, huh, there's a call center that has all these people doing all these different things somewhere. The security isn't going to be where it needs to be. And you start picking on those places and that gets real nasty, real fast.

Yeah. And, and it seems to really be bolstering. mean, from a high level, see various legitimate companies, they're going to market with creating your own avatar. train your own avatar and that way you can attend multiple meetings, right? You can, you can, you know, do a lot of, tasks and it'll look like you, it'll sound like you, it'll think like you, it'll transcribe the notes and then you can check it later. Right.

Speaker 1 (17:29.13)
I see the legitimate value, but then you apply, you know, the criminal mindset to that. And you're like, holy cow, it's not just going to stop at a phishing email now. Now it's going to be following up with a team's call or a zoom meeting afterward to verify we want you to make that wire transfer. We want you to release those sensitive information. I mean, it becomes very powerful.

Oh, absolutely. Cause it's like anything it's, you know, we're at a point where we have some level of cynicism when it comes to inbound emails, inbound text messages, but we haven't built that cynicism up when it comes to visual connection, whether it's in person, obviously, or if it's digital like this. And let's face it, deep fake is doing nothing more than social engineering's done for what? A couple of thousand years at least.

That's exactly right. mean, it's really well in the the deep fake detection as far as I know and I wanted to get your take on this like the deep fake detection doesn't seem to be as advancing as quickly as the deep fake use.

Yes, 100%. More than a first statement. Yes. Yeah. Well, unfortunately, once more, our adversaries have gotten a pretty decent leap on us on this one. And I don't see that closing anytime soon. Now I caveat that. So, upside of what I'm doing at WWT is I get to talk to all the vendors and suppliers and there's a bunch that are working on it. And I think this is where, again, our industry tends to shoot itself in both feet because

Now there's...

Speaker 2 (19:04.844)
Let's say you and I have a bright idea about how to stop deep fakes on this rather than you and I collaborating. And, you know, we, we go back to what the essence of our industry used to be, which is like, Hey, I this really cool idea. Let's collaborate on it. And we, we solve shit. I mean, that used to be what we did now. It's like, well, you know, if I keep my idea to myself, I can make some money on this and you do the same thing. And all of a sudden there's two of us doing the same thing. Our industry, mean,

I turned to the WT with a spreadsheet. had 70 odd vendors that said that they did deep fake and most of them had a really good talk about it. Not many of them were actually doing much with it and even fewer were doing anything that I would call novel. Now I caveat this by saying this past Friday, I sat down and had a really, really in-depth conversation with a company who I'm like, huh, didn't expect this from you, but I'm glad because you've always had a history of innovation.

And so we're really going to look very, very closely at who we have in the mix and probably to make some changes because we're out working with a bunch of companies on, I'm not going to say solving this, but on tackling this to an extent more than just crossing fingers and hoping people can actually spot it. So that's plan.

Well, that's good. mean, what is your vision of what can be done to detect it? Like, would it be something like I would think in the ecosystem of Microsoft Teams, you get on a Teams call, like there would be either an app or some additional subscription you could buy from Microsoft, which will work X amount, X percentage of the time, right? Not worth the rest, but at least it'll

be there and then they could show you whether the person I would think if somebody has a virtual camera up that is filtering the real you and what they see that that should be able to be detected.

Speaker 2 (21:05.208)
some degree. Yeah. And I think this is where it gets interesting because to your point, his and this is I don't want to say too much at the moment, but so many of the companies are focused on solving teams or WebEx or

where the users are actually using it.

or any of this other stuff, what they haven't done effectively is isolate the signal. So what we're doing and what we're building out is as the signal comes in, so whether it comes in audio, video, text message, whatever, the data gets enriched. So there's a bunch of companies out there that do data enrichment.

And by that, it's that signal comes in on a telephone number and you're like, okay, let's look at the signal, let's look at the phone number, let's look at the actual ISBN number, let's look at all the data that we can pull off of this phone number. Do we have a history on this number? This number has called us in 10 times in the last 24 hours and we've had issues with it, therefore maybe deal with it. Or hey, this is an existing client, high net worth client or coming into a call center client.

where, we've seen this number and they've traditionally done these actions. So let's remember that. And now let's do a comparison between these actions and what the heck they're asking for now. Is there a similarity or is it going completely on tangent? So there's some really cool stuff, but it's not a single point solution. It's not like going out and saying, Hey, I want to go buy this solution because it's such an early part of time in the industry. mean,

Speaker 2 (22:41.634)
We're back to basics on the security stuff. We're back to everybody making stuff up. So putting one solution in place might be great for now, but in 12 months time, it's going to be outdated, kind of like the early days of antivirus. So what we're doing is looking at frameworks. Like let's look at signal, let's look at audio, let's look at video, let's look at decision matrix for the business and all this stuff. so finding that's a more acceptable way of doing things. And then just targeting like the low hanging fruit.

So yeah, it's.

So is that what you guys are? What, what, tell me about your role at WWT. Like what are you guys driving? Is this part of the initiative is trying to definitely tackle this? That's great.

Yeah. And the lovely thing about it is what I love about working here is it's not just, let's focus on building this out for our top clients, having a flipping fantastic set of conversations with our internal team and two of our nice clients about building this out for people. So we're not just going to be like, well, you know, if you work for this company, we'll protect you.

We're looking at going, Hey, if you have one of these or you have some kind of a connection to the internet, can we build something out that will look after the everyday human, not just that. That's exactly. I love the fact that we're given that freedom to have those conversations.

Speaker 1 (24:04.814)
I love that. That's that.

Speaker 2 (24:15.502)
now whether they monetize it at some point or not, that's a different conversation, but I love the fact it's not like, Hey, go support the fortune 50 or the fortune 10. We're doing that as well, but it's like, also take care of humans. And I kind of appreciate that.

Well, yeah. And to me, that's the best type of security awareness. Like the best type of security awareness training out there is the ones that really talk about the individuals. if, because that gets them to lean in, right. It gets them to care, gets them to want to protect themselves and the families or their loved ones. Right. And then by doing that, then all of a sudden their hygiene gets better. Everything gets better. And there, it's not like they don't do that at work then.

Like you're actually causing change behavior as opposed to just, you know, the traditional fear, uncertainty and doubt and the organization's going to be breached. So you better invest. That's not going to go anywhere. That's old. And it's not driving behavior.

Well, that and the fact, let's face it more and more of our, had somebody talk to me about this. wish I could remember who, cause I want to give them the attribute, you know, I want to attribute it to them, but it was really interesting. Cause we talked about, you know, the, the ability and the effectiveness of protection and where. And so the corporate device, this I'm actually talking to you on my corporate device. My corporate device has all sorts of weird and wonderful tech and stuff on it. That's, that's locked me down and keeps me happy and make sure that I don't push too many wrong buttons.

That's one device in this household. have another 40, 50, 60. I got a bit. And so what happens with all those devices? doesn't give a damn about it. mean, they do care about them to some degree because of the effects.

Speaker 1 (25:54.484)
Absolutely.

Speaker 2 (26:08.968)
using them and I'm still doing things with them. So the probability of me being hit on one of those other devices now actually really is very, very relevant and very, very probable. And so it's going to impact the work. It's going to impact all these other things. And yet we don't take time to focus on it. So I love the fact that when we do take that time, because again, it's, when you look at deepfakes, it's no different than we've had with identity and access management for so many years.

we've wanted to put the right person at the right keyboard at the right time, doing the right things for the right reasons. That's really what, well, that's the only damn job we've been trying to do is figure out who's on the other end of the flipping keyboard for the last 20 years and what the hell are they doing versus what should they be doing. Well, now you throw deep fakes into the mix, it gets even more complicated. So how the heck do we engage the person to ask more questions?

Yeah. Let me ask you this. How else has a have you seen AI being leveraged in terms of new cyber threats, especially toward the the SMB or rural health care or smaller? You know, not the enterprise. No, that has their own psych, their own sock and their own teams. I'm just talking about the the ones that are really struggling more than others.

think it's just the speed of execution. think about it, like if I had to run research on you, you run a small business in rural America. If I want to attack you, I've got to run data on you, turn it into intelligence and get attack factors. That takes time. It takes effort. Whereas with enough of the AI architecture that's out there, I can have AI look not just for you, but for a hundred of you.

You know, you're in one bit of rural America. There's a hundred little places around you that are in rural America as well. So I have AI look for your profile and a hundred of you. Now I can turn and say, give me those hundred, do some Intel on those hundred, and now give me a common, semi-common script, and then just go run the darn thing. At which point my effort, efforts been greatly reduced. My attack surface has greatly increased.

Speaker 2 (28:24.808)
and my ability to succeed against you because it's an autonomous customization of a script or something is absolutely accelerated. so therefore you see a much faster path to an attack, a much more effective attack, and unfortunately a much more successful set of attacks. And that's not good, obviously, for everybody.

No, and, and, you know, lot of organizations have, it surprises me because I, I meet or have been at some or speak to leaders who are either like, you know, I don't want my employees giving out our sensitive information to the public. So there's no AI use, which to me reminds me of prohibition.

Like, it didn't work, man. just putting your head in the sand and going, it doesn't exist, we're not going to use it. That to me is a competitive disadvantage, right?

And it's a fool's errand. mean, two reasons. One BYOD, bring your own device. you remember what 10, 12 ish, let me just go 12ish, 15 years ago. So many people, myself probably included, stood up in cybercourting and you shall never bring your personal device into my world.

Remember having those conversations? Yeah. And we were quite adamant about it. We're like, no, we're going to control. It's got to be issued. And then all of a sudden, yeah, that changed. Yeah, that blew up. We're not always right. We're not about what you have, but the intent is good. Yes.

Speaker 2 (30:06.616)
So we.

Speaker 2 (30:13.068)
that failed, you know, abjectly failed, let's be very honest, and for all the other reasons. So here we are again. We are, I wouldn't say gatekeeping. Absolutely. We're not gatekeeping, but we are definitely being the voice of, I wouldn't say the voice of no, the voice of reason. We're being that voice that nobody actually wants to hear. So it's happening already. People use Grammarly. People use all the other things on this.

People have been putting little fake things on people's faces and stuff for last several years. Y'all have got AI, whether you like it or not. it's not a case of turn it off because you're not going to be able to. It's like, what do you do about it?

Right. Yeah. Well, and then there's, there's Co-Pilot, which is on a lot of organizations, M365 and organizations generally feel like it's secure because it's on, it's inside their network, right? It's not open AI, like with machine learning on the outside, but how accurate is that? mean,

It's like anything. If you feed a good data, you get good data out. But if you haven't fed it anything good, it's the old garbage in garbage out thing. whole, you know, this is another challenge that we see is like, okay, co-pilot and all of those others, any of the agentic and learning models are great as long as you've given it good data.

Um, have you given it the right data? Have you fed it? Where is that data going? Is it, know, copilot keeping it locally or is it chucking it out to the internet like chat GPT in most cases and going, Hey, I'm just going to add you to the, you know, to the ball, shall we say. And so when you look at it that way, I mean, I've used Cup, we use, have our own, so WWT's got Atom, which is, it's actually a fantastic little beastie, but again, it's only as good as the data you feed it. And so.

Speaker 2 (32:12.234)
If I can get to the data set, can I poison the data set? If the data you fed it isn't immutable and people are changing or editing it, or nobody's done any checks and balances, or you have no data handling standards, how do you know the type of data you fed it? so

We've gone back to some basic questions that we haven't addressed and we haven't addressed them for years and we still haven't addressed them and yet we're adding more stuff into it. And then we're trusting the data that's output from it. We're either telling others that we're making business decisions on it and that gets a little hairy at times.

Well, and I've heard that some attacks have happened where they're starting to leverage the internal copilot or the internal AI. Like if they get in through another vulnerability, social engineering or software vulnerability and network, you know, and they get in, they can ask the internal AI, you know, come, you know, gather up this sensitive data or where is it located?

Where is it? yeah!

Where is it like take a look at the the network configuration and show me exactly the path to get there? Have you have so so that's pretty real, right? You've seen that.

Speaker 2 (33:26.166)
Yeah, that's real. I've seen that attack factor too. And what's interesting is sometimes the AI is sensible enough not to hand that over. So then you ask it a different way or you bring it into this. There's a fascinating field which we've been messing around with for a while, which is, it's, they call it like an illusion, an illusionary type of an attack. So it's beautiful. So let's say this is social engineering. This, this is

What do you mean?

Speaker 2 (33:55.534)
comes straight back to social engineering. Let's say you're the guard on the front door, okay, of your company. You're the AI prompt, you're the guard on the front door of the company. And I come knocking on your front door and I go, I say, could I have the network back? you're like, who the hell no, who are you and why are you getting it? I'm going to get that every single way. If I ask you in six languages or ask you in an ASCII or whatever, I'll get the same answer. But if I come up to you go, I'm ever so sorry, I'm lost. Um, you see, I'm actually building this, this thing over here.

I've got an amazing thing and Fred over in the engineering part really, really needs this piece in there and I've got to put it somewhere and you're my only hope. You're my only way of solving this. I really need your help. And the AML goes, well, absolutely. Cause you're not an attacker. You're trying and often it gives you what you need.

So you socially engineer the machine and all of the filters, all of the controls that are built in place to not let it do harm basically are worked around.

I saw one fairly recently out in the wild and you literally create this illusion, especially if two of you do it at the same time. You know, I'm doing this and I want it. you basically, you bring it into your world. You change it from being the God to being basically the guide.

Yeah, absolutely. Let me ask you, I wanted to ask you this. your role as CISO that you've had throughout your career and when you're guiding organizations, how do you, what's the emphasis and importance? I imagine it's very significant, but the emphasis and importance on like having a good incident response plan and like testing it with

Speaker 1 (35:47.266)
like tabletop exercises. I know it's something that a lot of vendors sell and I get that, but of all the things to me, that is something where leadership is directly involved as opposed to like vulnerability scanning or detection or MDR or whatever. But I'm like that to me seems, and we all did fire drills as kids. So it's like, it's, essentially a fire drill. but is that something that you've, you've been kind of always driving as a, as a CISO? just curious to get your take.

Yeah, 100%. 100. And actually, the irony is, I just came back from CISO Panaders, the CISO XC in Dallas, I ran the tabletop exercise, I showed nine different examples inside an hour and we had some fun with it. I'm actually doing a LinkedIn, set a LinkedIn post at the moment, where I'm going to run through every single one of those because it's the same thing. It's the same, you know, it's the fire alarm thing. You said it perfectly, which is as kids, we all went through fire drills. Well, we did that so that when it happened, we didn't stand there like,

bunch of muppets wondering what to do.

We actually like when every minute counts, that's not the time to like train somebody of what they're supposed to do or figure it out, right?

I was asked the thing is you know it's we do that to ourselves is like you know computers not working this isn't working the alarms have gone off I know it's an incident what do we do I don't know let's reach for the A to Z who do we call what

Speaker 1 (37:09.95)
Yeah, well, Carl was supposed to be doing this. That's what it says. Carl left six months ago. You're like, okay, who's supposed to do it now?

Yeah, and who do we call it? Do we have anybody on retainer? What's the next steps all of those things? So there's

What the talks channel like how do I how do I get the Tor browser and talk to these guys who's gonna negotiate?

And that's it. Yeah. Who's keeping the, who's keeping the board appraised. Who's, I mean, you know, as well as I do, you get into an incident, you actually have to have a handler for the client because like anybody, they're like, have I know, have I know what's going on? Are we doing it? And if you're totally focused on that, you're not focused on actually remediating it. So we always came in whenever we did the stuff, we would come in with two extra people. One person did nothing but document. That was their entire job.

document everything for all sorts of reasons. And the other person was basically the liaison between the customer, the client, the unfortunate victim and us. And we didn't talk to, we kept it very, very quiet. They were the liaison so that we could actually sit down and get our bloody work done.

Speaker 1 (38:18.84)
Right. Well, and today, know, even I've seen even with small businesses, they went up getting class actions. yeah. I mean, there was a group of like 70 employees and they got a class action suit. I'm like, there's only 70 freaking employees. Like, how are they getting a class action? mean, one lawsuit is easy to to manage. But when it's a class action, everything just goes up exponentially. The cost in defending the settlement, everything. It's ridiculous.

Yeah.

Speaker 2 (38:48.558)
This country is very, very, very, so happy. mean, we have billboards, we have billboards on the roads telling you if you get into an accident, you'll get millions.

I know.

Speaker 1 (39:02.562)
Yes, usually a guy standing on a truck, right? Like with a hammer or something. It is. All of that stuff.

Yeah. And I mean, that's it is, but I'll say this, you know, again, if I, if I, as a customer have, you've seen it too often. And if I, as a customer come to you as a company and go, Hey, I noticed there's a problem on your website. I noticed this, I can get to this and you do nothing and you continue to do nothing and you ignore it and you don't have, and again, so it's the tabletop exercises is good when something happens, but on that front end,

You need a way to bring that inbound feedback, whether it's an official bug bounty, whether it's unofficial, whether you've got a go-to, something where you actually pay attention to people and then you give thanks in whatever way, shape, form, or whatever you need to. I don't see that as often as I really would like to.

Yeah, that's a great point. That's absolutely a great point. Let me ask you, rural healthcare, smaller manufacturing, but rural healthcare, you know, it is the one bastion where, you know, like I think about it 20 years ago, we had two versions of our world, right? Like we had our physical world, we had our

digital world, our nurse still had all of our medical records in a stack of paper, right? And should the computers go down one day or a couple days, like, okay, a little inconvenient, but we were fine. We could still function and medical care could proceed and business could operate if it's just a manufacturing, like production would be fine. Sales could continue. We've gone through this whole like

Speaker 1 (40:53.218)
digital transformation that the vendors all drove us to, right? And now we are so dependent on our tech and we are more dependent than ever. And we all have a multiple number of devices. And then when those go down, like there's so many case studies now, like people like people have to get treatments changed. have to, you know, they, can't accept emergency,

Patience, but you know rural setting the next one could be two and a half hours away That's that I mean it's really affecting our physical world more so than it ever has

Yeah, big time.

Speaker 2 (41:37.187)
yeah, and it's going to continue to do so, unfortunately.

Yeah, I mean, I guess my question is, what is your take on it? What are some of the advice that they can get as an industry from you? And I know this is a broad and the question is probably crap, but what I mean

No, it's actually a good question.

What can they do when they don't get more funding and everybody has to wear multiple hats and it's basically enterprise environment with a nonprofit budget? Like what are they supposed to do? You know?

So I think that there's a few things. And I think that the first one is quite honestly, step back from the hype and spend 10, 15, 20 minutes educating on the basics. Perfect example, AI and ML is a perfect example. It's like so many people are chasing it, but not really sure why.

Speaker 1 (42:30.124)
Yeah, I agree with that.

Speaker 2 (42:37.89)
And then when they get it, they don't know what to do with it, or they haven't asked the vendor the right questions. That's number one. So the first one is doesn't matter what it is. I spend time at night. So I typically work till three, four in the morning. I will down tools at six, seven o'clock. won't pick them up till 10 or 11. And I spend an hour or two in that time, just researching. And it's all over the place because that's my way of keeping up on things and figuring out what's going on. Second one is again, take that step back and go.

Should the power go out? What do we do? Should the internet go down? What do we do? One of the things I always do when I go in and consult is, is I'll always ask a company, how do I kill you? And it's a terrible question, but it's actually a very relevant one because take your rural healthcare, killing off that rural healthcare system or even killing the patients could be the fact that computer, the computer records have gone. don't know the treatment plan. So maybe you adjust your in-bans. So your intake is you intake a patient.

You look at the records, you hit print on the critical records and you just have a paper copy. That's a change in process. That's no change in tech. And yes, it might cost you a ream of paper every week or every month.

Right. Cheap. Well, what's the alternative? Once again, the ROI in that ring of paper is so much better than the alternative.

Yeah. So you look at it that way and maybe it's a case of you can't get to certain cases or you can't do certain things. So at that point in time, like, hey, what's our backup? If our internet is down, do we still have our phones? If our core internet is down, do we back up with a Starlink or do we have a telephone that's... You can always put backups in place and some of it comes down... It's the conversation that becomes business risk and business probability.

Speaker 2 (44:29.484)
Right. We did it at a number of locations. had, I remember doing a bunch of work with the E911 systems and a few others. you know, we had a primary circuit coming in from here. We had a secondary circuit coming in from here. And then on the roof, had a, you know, we had a direct link microwave to one of the big circuits. And so, and then you test it, you do the tabletop. You're like,

Somebody crashed into the roadside one over there, which takes that one out. How far back is that? shit, we've lost that one too. Do the systems fail over to this? no, they don't because that one's got two network switches and that one doesn't have. you take that step back and go, okay, now we're comfortable that at least from a communication standpoint.

Well, and what's significant. Chris, that's brilliant. I'll tell you, because what it does is you once again, the hacker mind, you probably aren't even aware that you're doing it. So let me let me explain it to you. So you're really starting from worst case, start where it matters most. You're prioritizing like start where with how do I kill you and work backward, meaning most organizations are focused on what?

what the vendors are driving. the new firewall. the new vulnerability scan, leveraging AI, of course, because everything has AI and they're going and they're spending their time looking at that rather than how about if we say everything's out, how do we still function? Do we have a paper backup? Do we have an offline digital copy that if something happens, we can at least see what medications these patients are on or at least do something so that we could still

render some care, right? Yep. That's really smart, right? Like start, start from the, from the impact, start from boom and then, and then work backward in terms of prioritization because that's really good because then if, even if they don't have the latest and greatest in vulnerability scanning or firewalls or whatever everybody's selling, right? At least they are prepared. Right. And that's,

Speaker 2 (46:40.526)
That's all it comes down to. mean, that's for the most part of us. You know, that's it. It's I always, I mean, we should, we do it with homes. mean, it's, it's the what if scenario. You know, I've got flashlights all over the place here and now some of them are regular batteries. Some of them are USB. So the USB ones, I actually have a calendar reminder once every two months, check the USB, tech USB flashlights or torches, you know.

I've got firewood, I've got a cord of firewood, half outside, half inside, know, all of the stuff along those lines, you know, it's even just the simple stuff like, you know, what happens if, you know, I've got primary, secondary and tertiary communications in and out of here. So it's, it is just sitting there and

doing that scenario. It's like, if you can't bring more patients in, not acceptable, acceptable, but maybe you can get basics. What's the basics? And if the basics are, Hey, we have an totally offline triage unit that we can do the simple stuff with, brilliant. least, and here's the thing. You might not be able to fix them, but can you keep them alive?

until they can be transported or until things come back up. Yeah.

If you've got a patient that's got an hour of lifespan left based off of your standard diagnostics, you know you've got two and a half hours to get the flight of life or whatever. do I need to, within my field and within this, what do I need on hand that is not directly connected to the internet that will enable me to be able to do more to extend that window out for a couple of hours or three?

Speaker 1 (47:56.664)
really good.

Speaker 1 (48:20.802)
That's fantastic. That's great.

It's so here's the thing this comes from the military mindset and this is what we always used. mean, we always had field kits, you know, trauma kits. always had trauma kits and the trauma kit wasn't to actually get us all poked up again. The trauma kit was until a fricking nine line turned up in behind scenes or until we could limp somebody or carry somebody back and they could officially be patched up. That's all you do.

Right. Yep. It's just initial triage. It's first line of defense. Just to stop the bleeding and stop the merging. Yep.

practice. You haven't practiced it, you're going to be running around like headless chickens. So yeah, back to the tabletop. it doesn't matter. the reason I did a whole bunch of these last week was I'm trying to show people these tabletops can be done in 10 minutes.

These don't have to take long. To me, they're all like a, it's like a living, breathing racy document. Like, know, like responsible, accountable, who needs consulted, who needs informed. it's like scenario one happens. So like who does what, where, and then the next phase of it, who would like, does that shift? And then you go to the next scenario and you can cover a lot of scenarios. Yeah, that's brilliant. Well, Hey man.

Speaker 2 (49:31.959)
Absolutely.

Speaker 1 (49:36.718)
I always appreciate speaking with you. You're just a fountain of wisdom. What is coming up? What's on your horizon? And then you have to leave me with like the coolest DEF CON story you have or one of the coolest things like I learned from you about like them hacking John Deere tractors. I can never look at the tractors. Yeah, you know, so what...

so much fuck yes

Speaker 1 (50:09.748)
No, no, no, let's let's let's get to the cool hacks. So tell me about those and then we'll end with the what's on the horizon for

I think I was out at I was out of I'm in the Middle East at it was actually blackout not defcon for a change blackout Mia Middle East and Africa fantastic and I'd been at like the previous year and I taken out ships and a bunch of other stuff and they're like what are gonna do this on? I Ended up going off to his excellencies camels. I hacked to the camels so much

Did you hack the camels?

So much fun. So ended up figuring out that the camel herders use online telemetrics, online data logging and monitoring for these camels. And they've got some of them have got pedometers on and some of them have got like chips in the ears, RFID and near full comes a whole bunch of other stuff. It's fascinating on this stuff, but the fun part about it is our friends over in the far East had taken this database and taken the idea and let's just say they'd modified it and made their own.

So I got into the satellite system that was running the far Eastern Chinese version of it. And I noticed that they were monitoring a whole bunch of camels basically on the steps of Mongolia. And I actually ended up tracking the guy down. The guy go out in his motorbike with his little system hooked up to his Chinese satellite and figure out what was flipping camels were absolutely brilliant. It was the same code.

Speaker 2 (51:41.512)
the guys out in the Middle East I'm like I wonder if I can do something so I took all of his chips took all of their chips and I swap

yeah. So this is where it gets interesting because now you have, and I didn't realize how expensive these camels were until after I put it up on screen and we told you. Yeah. Pageant beauty pageant camels, multi-million dollar things. So what apparently what happened when, we were talking about this, the gentlemen and the folks who were in the front seat were looking like, what the heck did you just do? Apparently somebody called their chief camel herder and was like,

where the heck are our camels and the camel herder was looked out and he's like, I see some of them out there. And then inside he looked on his database and went, they're all in Mongolia. At which point would you believe? Do you believe the physical or do you believe the digital?

They're

Speaker 1 (52:38.642)
That is phenomenal. That is when we last met you, you shared with me how was it a was it a B sides I think maybe in Michigan that you were at when you had hacked the Mars Rover and played God Save the Queen.

Gosh, yeah, that, uh, GERCON up in Grand Rapids, Michigan. Yeah. Oh my gosh. I love that one. I've got, mean, between that one and CISO PANADA, CISO XE, two of the best like conference series is, I mean, there's some fantastic ones. I mean, you've got CONCORN, you've got so many good conferences, but GERCON's like a home. It's so much fun.

That's just phenomenal. And you didn't cause any harm, you didn't get any trouble. Like it was just... I thought you were able to play...

I normally do. Yeah. Actually, I had fun with

It's better to ask for forgiveness after, isn't it? Like after you've done it a lot, if there's 60 people over 100 people, you're like, let me explain. It was just a demonstration. It's education purposes only.

Speaker 2 (53:42.654)
I was watching the James Webb telescope as they were putting that into space and sorting it all out. And for a while, NASA had the cameras focused on the people's screens and their keyboards. So I ended up building an AI tool that took all of the screenshots from all the cameras, filtered out screen and keyboard, and I was looking for logging credentials and user IDs and passwords.

Yeah, I sent those to a friend of mine at DHS who sent them to NASA and NASA was like, tell him to leave freaking James Webb telescope alone.

my God, didn't even think but you know, it's I mean that but but that error is no different than somebody taking a selfie in front of their school, right? in front of like, it's just people aren't aware of what is actually being disclosed. Right?

it's because we all we all want to go into these things with good intent. mean, I think this is where I feel bad for it. We all want to go in with good intent. And for the most part, I love the idea of what we're doing with intelligence gathering and learning models and agentic. think it's fantastic. But not everybody in this world is good. And I think that's where it gets frustrating is going with good intent, but also, you know,

it's the what is it it's assume the best but plan for the worst kind of mentality and I wish we would do more of that.

Speaker 1 (55:12.094)
Absolutely. So what's on the horizon? Are you doing some presentations, speeches coming up?

Yeah, got a few coming up meant to be going up to Canada land again, uh, talking to some fantastic folks at, uh, RCMP Canadian man, two people, um, got a bunch of other talks here. Uh, WWT is doing a bunch of AI days in a bunch of cities like Denver and a few other places Kansas and here. so doing a bunch of those and yeah, just a bunch of talking, got to get over to the UK at some point in time, go see mom, go see the B-sides cruise over there. But yeah, uh, I'm biking back on the bike. Now the weather's calmed and

my shoulder is at least mostly my knees.

Yeah, well the weather's warming up too in the Midwest, so that's great. That's fantastic. All right, my friend, thank you so much. Appreciate Thank Always very thank you for everything you do for the community, but also thank you so much for taking time to speak with us.

Yes.

Speaker 2 (56:12.76)
This was fantastic. love it. Thank you for hosting this and doing all the hard work on the backend.

That's fun. All right, buddy. I'll talk to you. Thank you.

Thank you

Well that wraps this up. Thank you for joining us. We hope you enjoyed our episode. The next one is coming right up. We appreciate you making this an award-winning podcast and downloading on Apple and Spotify and subscribing to our YouTube channel. This is Cybercrime Junkies and we thank you for watching.